lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <005301c3bf47$8b3fe6f0$0f02a8c0@wcglap001>
From: ruiper at shaw.ca (Rui Pereira)
Subject: Re: Internet Explorer URL parsing vulnerability

I am also on SP2...you are SP1

R

-----Original Message-----
From: Exibar [mailto:exibar@...lair.com] 
Sent: December 10, 2003 9:52 AM
To: Rui Pereira
Cc: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing
vulnerability

Works as advertised on IE6.0.2800.1106.xpsp1.... interesting, must be
the
httpS that's throwing it..

----- Original Message ----- 
From: "Rui Pereira" <ruiper@...w.ca>
To: "'Exibar'" <exibar@...lair.com>
Cc: <full-disclosure@...ts.netsys.com>
Sent: Wednesday, December 10, 2003 12:13 PM
Subject: RE: [Full-Disclosure] Re: Internet Explorer URL parsing
vulnerability


> Er, on IE6.0.2800.1106.xpsp2....this shows up as
> https://www.let_me_steal_your_money.com/ in the address line. Guess it
> don't work as advertised. Maybe we should all upgrade? ;)
>
> R
>
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Exibar
> Sent: December 10, 2003 7:55 AM
> To: Feher Tamas; full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing
> vulnerability
>
> I can see many people getting duped with this:
>
> https://www.paypal.com%01@....let_me_steal_your_money.com
>
> so I completely know where you're coming from.
>
>   exibar
>
>
> ----- Original Message ----- 
> From: "Feher Tamas" <etomcat@...email.hu>
> To: <full-disclosure@...ts.netsys.com>
> Sent: Wednesday, December 10, 2003 3:23 AM
> Subject: [Full-Disclosure] Re: Internet Explorer URL parsing
> vulnerability
>
>
> > >Proof-of-Concept here:
> > >http://www.zapthedingbat.com/security/ex01/vun1.htm
> > >
> > >Vendor Notified 09 December, 2003
> >
> > Unless the bug has already been exploited by malicious people, it
was
> > a highly irresponsible act to disclose it to the public, without
> giving
> > Microsoft a reasonable timeframe to produce a fix. It may even
qualify
> > as a crime!
> >
> > Considering the simplicity of this URL faking trick, it will be
> certainly
> see
> > active use by scammers during this Christmas shopping season and
> > thousands of people will be robbed of their online banking accounts,
> > etc. The money will boost organized crime and the whole society will
> > suffer. A patch would give customers at least a theoretical chance
to
> > protect themselves and the community.
> >
> > I certainly would not object to ZapDingbat getting sued for a few
> billion
> > bucks by M$ or the US Gov't sending him to a long recreation at
> > Guantanamo Bay. People like him discredit security research like
> > nothing else and his acts contribute towards legislation that will
> curb
> > people's right to investigate code.
> >
> > Regards: Tamas Feher.
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
>




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ